Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update the kube-rbac-proxy container image from 0.11.0 to latest 0.14.1 #267

Merged
merged 5 commits into from
Jun 20, 2023
Merged

update the kube-rbac-proxy container image from 0.11.0 to latest 0.14.1 #267

merged 5 commits into from
Jun 20, 2023

Conversation

kschoche
Copy link
Contributor

@kschoche kschoche commented Jun 15, 2023
edited
Loading

Using trivy to scan the kube-rbac-proxy image that is referenced by our helm chart it shows several which are fixed in newer releases of kube-rbac-proxy:

demo $ trivy image gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 | grep CVE | wc -l
2023-06-20T09:24:45.087-0500    INFO    Vulnerability scanning is enabled
2023-06-20T09:24:45.087-0500    INFO    Secret scanning is enabled
2023-06-20T09:24:45.087-0500    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-20T09:24:45.087-0500    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-06-20T09:24:45.093-0500    INFO    Detected OS: debian
2023-06-20T09:24:45.093-0500    INFO    Detecting Debian vulnerabilities...
2023-06-20T09:24:45.093-0500    INFO    Number of language-specific files: 1
2023-06-20T09:24:45.093-0500    INFO    Detecting gobinary vulnerabilities...
      15   <----- here

Updating to latest kube-rbac-proxy shows 0:

demo $ trivy image gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 | grep CVE | wc -l
2023-06-20T09:25:44.471-0500    INFO    Vulnerability scanning is enabled
2023-06-20T09:25:44.471-0500    INFO    Secret scanning is enabled
2023-06-20T09:25:44.471-0500    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-20T09:25:44.471-0500    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-06-20T09:25:44.489-0500    INFO    Detected OS: debian
2023-06-20T09:25:44.489-0500    INFO    Detecting Debian vulnerabilities...
2023-06-20T09:25:44.490-0500    INFO    Number of language-specific files: 1
2023-06-20T09:25:44.490-0500    INFO    Detecting gobinary vulnerabilities...
       0  <----- here

@kschoche kschoche self-assigned this Jun 15, 2023
@kschoche kschoche marked this pull request as ready for review June 15, 2023 19:50
@kschoche kschoche requested a review from a team June 15, 2023 19:50
@kschoche kschoche changed the title [wip] update the kube-rbac-proxy container image from 0.11.0 to latest 0.14.1 update the kube-rbac-proxy container image from 0.11.0 to latest 0.14.1 Jun 20, 2023
@kschoche kschoche added the helm label Jun 20, 2023
@kschoche kschoche requested review from tvoran and benashz June 20, 2023 17:17
benashz
benashz approved these changes Jun 20, 2023
View reviewed changes
Copy link
Collaborator

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

It would be good to run a scan of the entire cluster, we could probably do that as part of a nightly job.

@benashz benashz added this to the v0.1.1 milestone Jun 20, 2023
@kschoche kschoche enabled auto-merge (squash) June 20, 2023 18:29
@kschoche kschoche merged commit 21ee700 into main Jun 20, 2023
@kschoche kschoche deleted the update_kube_rbac_proxy_jun15 branch June 20, 2023 18:33
@tvoran tvoran mentioned this pull request Aug 16, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benashz benashz benashz approved these changes

@thyton thyton thyton approved these changes

@tvoran tvoran Awaiting requested review from tvoran

Assignees

@kschoche kschoche

Labels
helm
Projects
None yet
Milestone
v0.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@kschoche @thyton @benashz